Ahead of Super Bowl LIV, a number of NFL teams have had their social media accounts hacked
The official social media accounts, including those on Twitter, Facebook and Instagram, of 15 National Football League (NFL) teams, and the NFL itself, have been hacked. As well as the two teams that will play in the Super Bowl LIV Championship match on February 2, the Kansas City Chiefs and the San Francisco 49ers, a total of 13 other NFL teams were targeted.
The vast majority of the compromised accounts were on the Twitter platform, and have been named as: the NFL, Arizona Cardinals, Chicago Bears, Cleveland Browns, Denver Broncos, Green Bay Packers, Houston Texans, Indianapolis Colts, Kansas City Chiefs, New York Giants, Philadelphia Eagles, San Francisco 49ers and Tampa Bay Buccaneers. The Dallas Cowboys accounts on Facebook and Instagram, as well as Twitter, were hijacked, while the Buffalo Bills had both Facebook and Instagram targeted and the Minnesota Vikings their Instagram account.
Saudi hacking group takes responsibility for the NFL team hack attacks
The hackers behind the account hijackings have been named as a Saudi group known as OurMine. The BBC reported that OurMine took responsibility for the attacks to demonstrate how bad internet security is. A Bloomberg report stated that a post by the hackers to the official Green Bay Packers Twitter account read: “We are here to show people that everything is hackable.” USA Today reported that OurMine claimed in the now-deleted tweets that it could improve account security. In the past, OurMine has been known to provide contact details within posts to compromised accounts, offering to help victims with their security efforts.
Currently, it is not clear how the hackers got access to so many NFGL team accounts, although ZDNet said that many of the tweets appeared tom come from a social media account management service called Khoros. While admitting that it was helping a Khoros customer to manage “an incident,” a Khoros spokesperson told ZDNet that “the Khoros platform was not compromised.”
Was a weak API behind the account compromises?
Although the precise nature of the compromise methodology is yet to be determined, Ian Thornton-Trump, CISO at Cyjax, says that it has the hallmarks of targeting the supply chain to compromise accounts on bigger fish such as Twitter. “My guess on this is that once it became known what ‘helper-app’ was preferred by the NFL social media folks,” Thornton-Trump says,” a cunning attacker then ‘tried all the things’ until one worked.” Referring to as a “dirty little secret,” Thornton-Trump says that “application programming interfaces (APIs) are very poorly secured and are, perhaps, the ground zero of security by obscurity.”
What we do know, however, is that the usual hijacking methodology certainly involves using credentials from employees with access to such accounts. It is the weapon of choice of another hacking group with a similar history of account takeovers, the Chuckling Squad. Most recently, it compromised the Twitter accounts of both Mariah Carey and Adam Sandler.
Hackers targeting football teams in Super Bowl week is unsurprising
It should come as no surprise that such high-profile social media accounts are on the radar for hacking groups, especially during a week in which sports media is focused on the Super Bowl. “By compromising these accounts, especially in large numbers, they are able to use them to spread a message to a large audience of followers without needing to cultivate such a following themselves,” Ashlee Benge, a threat researcher at ZeroFOX said, “We often see these compromised accounts used for a sort of tagging, where the hacker group uses the accounts to make their name known.” That certainly happened with the NFL team account takeovers, the press coverage generated around the attacks (mea culpa) feeds the need for such notoriety amongst hacking groups such as OurMine.
If it does turn out that it was an API weakness that was exploited by the OurMine hackers, then Thornton-Trump will not be surprised. “As a best practice, API connections need to be authenticated and encrypted,” he says, “with perhaps even blacklist and whitelist capabilities applied to the connections.” Otherwise, the result will be an epic security failure of a very secure service or product. “It’s an attack surface we will see more and more,” Thornton-Trump concludes, “as we connect more apps and more devices to each other.”